Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 72019200D5C for ; Fri, 15 Dec 2017 20:09:07 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 70AA1160C14; Fri, 15 Dec 2017 19:09:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id B622C160C04 for ; Fri, 15 Dec 2017 20:09:06 +0100 (CET) Received: (qmail 18442 invoked by uid 500); 15 Dec 2017 19:09:05 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 18431 invoked by uid 99); 15 Dec 2017 19:09:05 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Dec 2017 19:09:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 226EFC1B9E for ; Fri, 15 Dec 2017 19:09:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.011 X-Spam-Level: X-Spam-Status: No, score=-100.011 tagged_above=-999 required=6.31 tests=[SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id dhK6hHvUKlcr for ; Fri, 15 Dec 2017 19:09:04 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id CF3535F5A4 for ; Fri, 15 Dec 2017 19:09:03 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 1E488E0383 for ; Fri, 15 Dec 2017 19:09:03 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 693F827409 for ; Fri, 15 Dec 2017 19:09:00 +0000 (UTC) Date: Fri, 15 Dec 2017 19:09:00 +0000 (UTC) From: "Steve Loughran (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HADOOP-14556) S3A to support Delegation Tokens MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 15 Dec 2017 19:09:07 -0000 [ https://issues.apache.org/jira/browse/HADOOP-14556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Steve Loughran updated HADOOP-14556: ------------------------------------ Attachment: HADOOP-14556-002.patch Patch 002; in sync with trunk. FileContext tests still failing, as paths returned in getFileStatus/list, etc, don't include the port, that is: they don't have the same URI as the canonical name. Daryn, if yo've got your patch ready, I'd like to see it to see how we can merge things. For this DT I want to * add: encryption settings, * forward session credentials * pick up env vars and use them if present. Gives you automatic marshalling. Issue: risk of fun with spark here, as it propagates the env vars already. These DTs would take priority for the specific FSs DTs get picked up for. I guess we can conclude that if you enable DTs, you want it * support assumed roles, so that the client will talk to STS to assume a role before creating the client, and use that for local s3, DDB access, and pass in as the DT credentials > S3A to support Delegation Tokens > -------------------------------- > > Key: HADOOP-14556 > URL: https://issues.apache.org/jira/browse/HADOOP-14556 > Project: Hadoop Common > Issue Type: Sub-task > Components: fs/s3 > Affects Versions: 2.8.1 > Reporter: Steve Loughran > Attachments: HADOOP-14556-001.patch, HADOOP-14556-002.patch > > > S3A to support delegation tokens where > * an authenticated client can request a token via {{FileSystem.getDelegationToken()}} > * Amazon's token service is used to request short-lived session secret & id; these will be saved in the token and marshalled with jobs > * A new authentication provider will look for a token for the current user and authenticate the user if found > This will not support renewals; the lifespan of a token will be limited to the initial duration. Also, as you can't request an STS token from a temporary session, IAM instances won't be able to issue tokens. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org